Is it possible to secure replication?

  • Thread starter Thread starter Jacques Koorts
  • Start date Start date
J

Jacques Koorts

I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
 
Tinfoil hat securely fastened, Jacques Koorts pounded the keyboard to produce
I have this idea, you add 2 network cards to each DC. One each using it to
connect to network, and the other to connect to each other. This linkl
between them you then use for replication making it very secured. Can this
be done and how?
Click to expand...
You could set up a tunnel between them, but you realize that replication is
*already* secured, right?

Laura
 
then how would you do that? how would you specify to only setup tunneling
for replication and not normal ip traffic?
 
I dont think its that secure. What security protocols are used? What
authentication?

To have it the most secure is to have a wire (ethernet) physically running
between the 2 boxes. so you will have 2 cards in both systems...
 
You don't need multiple NIC's.

You can use IPsec for DC to DC security, but you need to use certs or a PSK
to do this since Kerb will have issues.
 
Kerberos secures replication traffic for Active Directory including AD
integreated dns zones and is very secure. You can also use Domain Security
Policy to change kerberos policies as far as ticket lifetimes if you feel
the need to secure it further at the expense of additional bandwidth and
load on the domain controllers. Installing multiple nics on domain
controllers is something to be avoided if possible anyhow as they end up
being master browsers and other configuration headaches can occur. ---
Steve

http://www.windowsitlibrary.com/Content/617/06/toc.html -- more info on
kereberos.
 
The problem is that replication of Active Directory is far from the biggest
vulnerability or the most common target. It's more common to just attack
the domain controller either through the network card attached to the
network or by attacking a client workstation or user attached to the domain
controller. If someone wanted to sniff network traffic, they wouldn't be
sniffing the replication traffic, they would be sniffing the client
authentication requests.

Microsoft has hardening guides at www.microsoft.com/technet/security, and
for Windows 2000 there are also excellent guides at www.nsa.gov/snac and
http://securityadmin.info/faq.asp#harden These people have been securing
domain controllers in real environments for some time and know what works.
I would avoid trying to reinvent the wheel and first make sure you've gained
all you can from their documents. There are no doubt plenty of other more
important things you have not yet secured.
 
Adding an extra NIC for this is not the way to go, as this
implies that you will be taking manual control over the
DNS records, etc.. and making sure that all proper clients
have correct distance info in their routing tables so that
they never attempt use of the "DC private" NIC.

As was pointed out, Kerberos is used for machine authentication,
the AD replication traffic is already secured, and IPsec is the
way to add further integrity and privacy on the DC to DC packet
stream without havng DNS uglies to deal with. There are also
policies that may be set the increase the packet level security
of communications, both in general and for schannel.
 
Kerberos isn't the transport: RPC is.

You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
encrypted using other mechanisms in their own right (such as Exchange
Server).
 
It is. I think he was correcting my terminology? --- Steve

http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp

Using Active Directory Replication
Replicating zones as part of Active Directory replication provides the
following security benefits:

a.. Active Directory replication traffic is encrypted; therefore zone
replication traffic is encrypted automatically.
b.. The Active Directory domain controllers that perform replication are
mutually authenticated, and impersonation is not possible.
c..
 
My point was that Kerb is an AuthN mechanism, not a transport mechanism.

AD uses RPC and encrypts the RPC's it uses.

To go further, you would use IPsec to protect DC to DC replication (which is
supported, except that Kerberos can't be used as the AuthN for the IPsec
rule, it has to be certs or PSK).

As we all know, RPC is not inherently secure (which is why there are custom
crypto things going on there).

If we had it to do all over again, we might have used IPsec for DC to DC
replication. There is no real good reason not to when you look at it for a
while...
 
Yes. AD replication traffic is authenticated and encrypted. IPsec is
goodness but not as much for AD replication :)
 
Back
Top